Wednesday, September 10, 2014

It doesn't take a genius to work out now that there's a phenomenon where normal, rational, human beings suddenly lose their minds every September. This is the month that Apple unveils it's new iPhone, but it's also the month when Apple's new products are unveiled to the public.

With these new iterations of phones or new products, we expect to see a cacophony of haters, naysayers and what have you, who prognosticate that Apple is failing to innovate if they don't release a new category product every other year, or that the latest iPhone is only an improvement on an old model instead of a completely new one, and there are those that outright say that a new device is just plain bad.

Even though we know that Apple has pretty much hit each record selling quarter with an even bigger quarter for the past few years, the Internet has a habit of keeping stuff around for long periods of time, so we can see examples of what I mean by these haters who contradict it...

Next came the iPad... We've all heard the "But it doesn't run Flash" argument, or the "It's just a big iPhone... but without the phone functionality" tirades. Very quickly, though, the device was shifting a million units a month. 5 generations and 2 mini's later, it's still selling very well.

However, it's very apparent when cheap copies of Apple's design is being ripped off - but then again, some people are happy with a lookalike product if it means they pay less. Then when the bar is raised again by a new iPhone iOS version, instead of just installing the update so that your hardware lasts two or three years, you need to buy a whole new phone.

Yes, people don't want to upgrade their entire Android phone, but because of carriers and OS fragmentation, they usually have to.

So what about the new Apple Watch? There are already a few watches in the market. Let's take a look at them.

First, there is the Pebble.

This is a low-cost watch that looks very 1990s in it's heritage. You could easily imagine the name Casio stamped across the top.

Then there is the Samsung Galaxy Gear S watch.

This is an improvement on the Pebble, but it's largely just an iPhone UI shrunk onto the wrist. You can change the colour of the strap to suit your style.

And there's the Sony one...

Sony have made watches for a long time, but they also went for the "shrunken" PDA kind of UI. Again, you can change the strap colour.

Then Apple comes along with the Apple Watch.

This is a marked departure from the "PDA" interface. The fact it has a crown (knob) too is a reminder that this is not a 1980s inspired "digital" design. I won't go through the list of features as that's been done elsewhere, but I do want to turn to the naysayers.

All I know is that above the cacophony of naysayers, there will be a slew of developers such as myself who know that many people will buy this device, and it will likely sell lots of them. Apple is rarely first into any market, be it computers, media players, phones or watches - but when it does go in, it generally raises the bar and disrupts things.

Friday, September 5, 2014

Sometimes, I see something that doesn't seem right to me, and internally I begin questioning it or trying to work out if it's deliberately not right for some other reason. In Ontario, our Smart Meters are one such item that perplexes me because for all the hay-making in the media about security, it's actually wide open.

In Ontario, places such as Ottawa and Toronto have this meter.

As meters go, it's pretty standard. There's an ID plate, an LCD screen that gives you basic information, then there's an IR port on the right (it's the dot in the left hand part of that enclave on the right). Internally, there's a transmitter that sends your home's data to a designated neighbouring smart meter that acts as a master and aggregates and sends on the data from it's neighbouring slave meters.

The government and other electricity bodies went to great pains to point out that this data is secure and the remote meter repository where the data goes is secure, and the transmission is secure, and ... well, you get the picture.

But...

There's that little IR port on the front. It's just spilling live data onto your driveway or beaming it your next door neighbours wall...

And that is a problem.

As with many attacks on your privacy, 9 out of 10 require little more than access to the hardware itself. There's no reason someone can't slide an IR receiver (about $2) over the port, connect it to an Arduino Mini Pro ($13) and wire the input to output to a pen-laser ($5) and now for $20 they've extended your private data to across the street, where it's picked up by a solar cell and decoded. Now, that neighbour knows when you come and go, your habits and other patterns, etc.

The simple solution is just stick some black electrical tape over the port. A better solution is use a Blueline Powercost monitor on it - not only do you get informative information from it, but there's an added security angle in that you're blocking the port from prying eyes (and you get the added warning that it's being tampered with if you stop seeing data).

Now you understand this simple flaw in logic, go and have a chuckle as you look through this FAQ document from the IPC.

Thursday, September 4, 2014

The news over recent years has become increasingly peppered with stories about large scale data breaches. Notable examples include:

Adobe - 152,000,000 records.

EBay - 145,000,000 records.

Target - 70,000,000 records.

JCPenny/Dow Jones/JeyBlue/etc - 160,000 records.

Sony PSN - 77,000,000 records.

Heartland Payments - 130,000,000 records.

TJ / TK Maxx - 94,000,000 records.

AOL (2014) - 2,400,000 records.

AOL (2006) - 20,000,000 records.

AOL (2005) - 92,000,000 records.

As you can see, these aren't small numbers.

The latest breach appeared this week and it points to Home Depot. Now, Home Depot operates in Canada as well as the USA, Guam, Mexico and Puerto Rico, and much hay has been made over the issue in the media. Home Depot themselves put out a statement on the matter, and many security experts are looking at the issue.

Neal O’Farrell, an identity theft and security analyst for credit monitoring site Credit Sesame recommends consumers use the breach as “an earthquake drill” and go through the “security routines you’ve been putting off.”...

I had a quick think and knowing that I use the Home Depot regularly, I know there's a fair chance I could be caught up in this one if Canada is part of the breach. Whilst I can look at my statements after a breach, I've no idea about one key aspect of my financial protection: One way I may be protected is if they geo-fence transactions and can flag a transaction that's trying to go through outside of some safety area.

It turns out I'm not the only one thinking about this. A Krebs report on the matter (source) even says this:

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

So, I did the sensible thing and asked my bank to clarify what, if anything, exists to protect me:

@cibc In the wake of a store chain breach (ie Home Depot) what is your geographic local radius beyond which you block unusual transactions?
— Jason Coulls (@coulls) September 3, 2014

I thought this was a straight-forward question to ask a financial institution... So, you can imagine the face-palm I did when I read the response pointing me to a T&C page that makes no mention of geographic protection radii.

Needless to say, I had to point out that they've not answered the question... Then I re-asked the same question, but using a different wording.

@cibc I've already read through that agreement; it makes no reference to geographical limitations in miles or kilometres, hence my question.
— Jason Coulls (@coulls) September 3, 2014

@cibc Put another way, if I got breached, do you detect/step-in at 5km, 10km, 10000km? What is your geo-limit?
— Jason Coulls (@coulls) September 3, 2014

At this point, it should be pretty clear to the bank a) what I'm asking, and b) why I'm asking it. So having not answered the question, it tries to obfuscate the issue.

@coulls The location of a transaction is one way, how we determine it's legitimacy. If I say anymore I'll be giving away all the goods. ^ET
— CIBC (@cibc) September 3, 2014

Now, anyone that's followed my previous gripes with this bank will know what I think about their relaxed security policies, history of foul-ups and bad communication will know I was getting suspicious that such a number doesn't exist.

So, I changed the question to see if this reveals any security context, or if it generates blow-back:

@cibc OK - ill change the question if you can't give a simple number:?where is the centre of the secret radius? My branch, my house or HQ?
— Jason Coulls (@coulls) September 3, 2014

In a simple enquiry to the bank to understand how/if I'm protected on a geographical basis, the bank had first actively failed to answer the question, then tried to obfuscate the issue, then finally fell back to an "argument from ignorance" stance and tried to draw a line.

Now, "absence of evidence" does not imply "evidence of absence", but as a customer this is highly worrying when the "burden of proof" is on the bank and they can't explain it.

Conclusion:
To add to the litany of other security issues I know about, I don't think CIBC has me covered on this one either. My guess is it's not geofenced and probably not even geocoded from an address of banks, shops, or ATM's, where cards are used.

I can test this pretty easily too. Thankfully, this time it doesn't require a dog.